Analysis Summary

Researchers have discovered a new remote access malware known as NonEuclid that gives malicious actors the ability to take over infected Windows devices from a distance. The C#-developed NonEuclid remote access trojan (RAT) is an extremely complex piece of malware that provides unauthorized remote access using clever evasion tactics.

It uses a number of techniques, such as ransomware encryption that targets important data, privilege escalation, antivirus bypass, and anti-detection. Since at least late November 2024, NonEuclid has been promoted in underground forums; talks and tutorials regarding the malware have been seen on well-known websites like YouTube and Discord. This suggests a deliberate attempt to disseminate the malware as a countermeasure against crimeware.

Fundamentally, the RAT starts with a client application initialization phase and then runs several tests to avoid detection before configuring a TCP socket to communicate with a given IP and port. Additionally, it monitors processes like "taskmgr.exe," "processhacker.exe," and "procexp.exe," which are frequently used for analysis and process management, and sets up Microsoft Defender Antivirus exclusions to stop the security tool from identifying the artifacts. It enumerates processes and determines whether their executable names correspond to the designated targets using Windows API methods (CreateToolhelp32Snapshot, Process32First, Process32Next). Depending on the AntiProcessMode setting, if a match is detected, the client program either exits or the process is killed.

According to the researchers, the malware employs several anti-analysis strategies, such as detecting whether it is operating in a virtual or sandboxed environment and stopping the program right away if it is. Additionally, it has tools to get around the Windows Antimalware Scan Interface (AMSI). NonEuclid tries to increase privileges by evading User Account Control (UAC) safeguards and executing instructions, even though persistence is achieved through scheduled operations and Windows Registry modifications. Its capacity to encrypt files with specific extension types (such as .CSV, .TXT, and .PHP) and rename them with the suffix ".NonEuclid," thereby transforming them into ransomware, is a rather unusual capability.

The NonEuclid RAT, which combines sophisticated stealth mechanisms, anti-detection characteristics, and ransomware capabilities, is a prime example of the growing sophistication of contemporary malware. Its extensive marketing on educational platforms, Discord channels, and underground forums shows how appealing it is to cybercriminals and emphasizes how difficult it is to counter such threats. The malware's versatility in avoiding security measures is demonstrated by the incorporation of features including privilege escalation, AMSI bypass, and process blocking.

Impact

• Unauthorized Access
• Security Bypass
• File Encryption
• Privilege Escalation

Remediation

• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.